On deepend wrote:
It keeps being abused to run things like VPN's and such
that I have to turn it off.
Wait, did Tilde.club originally allow using SSH port forwarding facility
to connect to other hosts... or it was always to-localhost-only
and despite that, it got abused with user-run forwarder to the point
of nontrivial bandwidth usage or landing a legal notice?
I'm currently using this facility for connecting to already-existing
Tilde.club services like NNTP (manual transit mode check, and reader mode
GUI newsreading/posting) and less commonly IRC (retro GUI client
without TLS), and Email (retro GUI client with incompatible TLS).
Never really tried making it connect to other host
or listen to anything though.
I think it shouldn't be much harm for leaving port forwarding on
but in whitelist-only mode by default [1] (`PermitOpen localhost:PORT1 localhost:PORT2 ...` [2] with individual endpoints of Tilde.club's officially-provided services specified on the line) *and* reverse-tunneling disabled [3]; then leave all other ports --including reverse and Unix socket tunneling-- decided in case-by-case basis as you said.
Doing this should allow the intended uses of SSH tunneling to continue,
while bringing individual user-run tunneled "services" (which you said that
is being where the abuse occurs) into scrutiny.
Regards,
~xwindows
[1] Don't forget to set `AllowStreamLocalForwarding no` as well.
(Available since OpenSSH 6.7)
[2] When this line was absent, the default SSH configuration would pick
`PermitOpen any` which meant *if* TCP forwarding was enabled,
allow forwarding to any port.
[3] `PermitListen none` (Available since OpenSSH 7.8)
--
xwindows' gallery of freely-licensed artworks
https://tilde.club/~xwindows/ http://tilde.club/~xwindows/ gopher://tilde.club/1/~xwindows/
--- Synchronet 3.19a-Linux NewsLink 1.113